Purpose
The purpose of this documentation is to show how to configure different sections of the ZyWall USG 100 Firewall. While it is a nice firewall, explanations, inline "clues" and documentation seem to lack some intuitive pieces.

It is always a good idea to backup the configuration of the firewall before making changes. Speaking of that, the ZyWall documentation suggests to "shutdown" the device via the GUI. It does not actually shut off the device but provides a timer that allows it to "freeze" itself; you have to physically unplug it to truly shut it down after it completes (takes a few minutes). As an additional note, when powering on the ZyWall, it takes a few minutes before the SYS light becomes solid instead of blinking.

Rather than use the very limited on-board storage capacity, you may want to pick up a USB drive and plug it into the ZyWall (one of the USB plugs on the front). You'll need to activate the USB storage as shown.

Next up, you may have users who will want to connect to the office network (which you can segment into multiple LANs, etc). This example is for L2TP VPN and creating a group which will contain the users.

Since you'll have a variety of users connected to one or more of your LAN ports, you can dynamically assign them IP addresses as well as reserve IP addresses for specific MAC addresses (among other things).

Undoubtedly you'll want to be able to connect the ZyWall to the "outside" or the Internet in this case (if that is how you are using it). Most of the time, especially if you don't have a static IP assigned to you, you'll want to use the automatic selection. However, if you have a static IP (and you want to do a manual configuration), or if you have multiple static IP addresses assigned and one is allocated for supporting traffic after the ZyWall (say you have a Cable Modem -> Switch -> ZyWall), you'll have to specify the static IP information here.

From this section you an dynamically re-assign ports and subnets. Great if you need more than one port to support a specific segment of your network or you want to change up things like what port the DMZ is on.

Under "Forbidden Web Sites" enter those resources you don't want to allow. For best blocking ability use the wildcard before and after the domain name such as *somesite.com*. That is needed because if you enter "somesite.com" the user could specify "www.somesite.com" or "somesite.com/index.html" and still access the resource.

It is important to note that while you can block websites via resources you've defined and created a policy for, those URL's will only be blocked if a user on the network attempts to access them over regular HTTP (port 80). If such a resource may be accessed over HTTPS, the firewall will not block it.

Instead, to block access to a resource when requested over HTTPS, you have some capabilities with what is known as "AppPatrol".